Sohanad.AE is a worm that enters as a downloaded file through Yahoo Messenger, infects windows. Upon execution it disables the Windows Task Manager and Registry Editor and copies itself as SVCHOST32.EXE and SVHOST.EXE in the Windows folder which is different than the windows system file SVCHOST.EXE

The worm modifies registry and loads itself during each startup.

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

It also creates the following registry keys to modify the settings of Yahoo Messenger

This worm spreads through Yahoo Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients’ system.

(Below are removal instructions. You may print this page for easy reference)

Save this file with .VBS extension.While saving enter the name in double quotes and select all files from the save as type in notepad.For the ease of use, save the file on desktop.for example “filename.vbs”When the file is saved as a vbs file then the file icon changes as a VBScript script file.Execute the file. Double click on the file name to execute.

Click Yes at the prompt of the message box.Click Ok.

Disable system restore

disable System Restore in Windows ME and xp.

Click on start > all programs > Accessories > System Tools > System RestoreClick on System Restore settings.Check the box to Turn off system restore on all drives.press apply. press ok.

Delete svhost.exe and svchost32.exe

search and delete files named svhost.exe and svchost32.exeYour windows system file is svchost.exe, do not delete it.Observe the difference and the missing c.The worm creates svhost.exe and svchost32.exewhereas windows system file is svchost.exe

Remove Autostart Entries from Registry

(If the worm has not executed yet then the entries below will be absent.)